On Thu, Oct 19, 2017 at 4:38 PM, Simon Sapin <simon.sa...@exyr.org> wrote:
> On 18/10/2017 22:37, Gregory Szorc wrote: > >> The latter merely requires an up-to-date trusted CA >> certificate roots bundle for x509 certificate verification (assuming the >> client does certificate validation properly - which older versions of >> Python don't unless configured to do so - Python's default security story >> was a mess until relatively recently). >> > > On Windows builders for Servo’s buildbot CI we have Python > v2.7.12:d33e0cf91556 with ssl.HAS_SNI == True. Connecting to > https://static-rust-lang-org.s3.amazonaws.com/ works fine, but connecting > to https://static.rust-lang.org/ (a CloudFront hostname) causes: > > URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate > verify failed (_ssl.c:590)> > > On https://www.ssllabs.com/ssltest/analyze.html?d=static.rust- > lang.org&s=54.192.142.81&latest (picking one the first IP address > listed), everything in "certification path" is either "sent by server" or > "in trust store". > > Gregory, do you have an idea what could be wrong here? CERTIFICATE_VERIFY_FAILED likely means there is no trust chain on the client for the server x509 certificate. My guess is the Amazon root CA isn't in the trusted root CA certificates list on that Windows builder. You can verify this by temporarily disabling x509 certificate trust checking via ssl.wrap_socket(cert_reqs=ssl.VERIFY_NONE) (<2.7.9) or ssl.SSLContext.verify_mode = ssl.VERIFY_NONE. I know Firefox CI has had problems related to the Amazon root CA not being installed because it is a relatively recent root CA. The generic Python way to fix this is to use the certifi Python package and load it by specifying ca_file to ssl.wrap_socket() (pre 2.7.9) or ssl.SSLContext.load_verify_locations() with 2.7.9+. Or figure out where Python thinks the default CA certificate list is (ssl.get_default_verify_paths()) and ensure a modern root CA bundle is in that location. Although on Windows and MacOS, support for loading certs from the system varies. Read the code comments at https://www.mercurial-scm.org/repo/hg/file/aa5e7b4a3a01/mercurial/sslutil.py#l693. Also note the hack on MacOS's Python where loading a specially crafted CA file has the side-effect of importing CA certs from the MacOS Keychain. Talk about an esoteric hack! _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo